The U.S. government's recent accusations against two Chinese companies are seriously overblown.

By Trevor Timm<p>
Trevor Timm is
an activist and blogger at the Electronic Frontier Foundation. He has a law
degree from New York Law School.
</p>

October 12, 2012

The U.S. House Intelligence Committee released a much-publicized report on Monday accusing two Chinese companies — Huawei and ZTE, the world’s second- and fourth-largest telecommunications-equipment suppliers respectively — of providing opportunities for the Chinese government to spy on the United States. The report labeled both corporations national security threats and recommended that U.S. companies cease doing business with them.

Much of the media coverage of Huawei and ZTE is certainly eyebrow-raising. Yes,it’s clear the Chinese government holds tight control over two of the countries’ most successful private companies, and Huawei and ZTE executives have numerous ties to the government, like all companies in China in sensitive industries. The United States is also undoubtedly the victim of a huge volume of cyberattacks originating from the Chinese mainland.

Although the report — at least the unclassified version — is full of sound and fury, it is almost devoid of anything conclusively connecting Huawei and ZTE with the charges levied against them. The 11-month investigation, which Huawei requested, starts from the presumption of guilt and works backwards from there: All its conclusions are based on the suspicion of wrongdoing. As 60 Minutes reported two-thirds of the way into its segment on Huawei this past Sunday, almost as an afterthought, "[T]here’s no hard evidence" that any of the espionage allegations are true.

It seems that the House intelligence committee’s response to potential cybersecurity threats has been to circumvent the Bill of Rights using "national security" as an excuse, while the committee avoided the most effective solutions — like examining the two companies’ code and vulnerability testing all foreign-made communications equipment — that would make the nation’s communications infrastructure safer.

Even before the investigation started, the U.S. government has been unofficially pressuring companies to refuse business with Huawei, calling into question whether Huawei and ZTE have ever been afforded due process. According to Sunday’s 60 Minutes report, former Secretary of Commerce Gary Lockecalled the head of Sprint in 2010 when they were close to signing $5 billion contract with Huawei and convinced Sprint to back out of the deal. (The Wall Street Journal has also reported on the phone call.) When the head of small U.S. telecommunications company, United Wireless, bought equipment from Huawei he couldn’t get anywhere else, he received a visit from two federal agents who were "not pleased" with his business ties, according to 60 Minutes.

The consequences for ignoring the issues surrounding Huawei and ZTE are serious, and the U.S. government should prevent government agencies from entering into contracts that could harm the United States. And the U.S. government has good reason to fear the Chinese government’s connection to Huawei and ZTE from past experience: Even if their equipment is perfectly safe now, it could be turned against the United States in the future.

But the U.S. government, along with House Intelligence Committee chairman Rep. Mike Rogers, have effectively blacklisted Huawei and ZTE, even though the two companies have not been convicted of — let alone charged with — any crimes. Rogers even called into question the patriotism of any company doing business with Huawei, telling 60 Minutes, "If I were an American company today… and you are looking at Huawei, I would find another vendor if…you care about the national security of the United States of America."

In September, two other members of the House Intelligence Committee, Republicans Sue Myrick and Frank Wolf, went further, taking the extraordinary step of pressuring DLA Piper, one of the largest business law firms in the world, to drop ZTE as its client, citing the "threats your client may pose to the national security of the United States."

The tactic of aligning one’s attorneys with the crimes its clients are accused of committing is antithetical to the legal traditions in the United States and the 6th Amendment of the Constitution, which guarantees the right to legal representation. It dates back to another conflict between two nations, when founding father John Adams insisted on representing in court the British soldiers accused of committing the Boston Massacre.

Incredibly, despite an 11-month investigation the committee did not actually test any piece of Huawei or ZTE’s equipment, according to the House report. This did not prevent Committee members from accusing both companies of installing in their products "backdoors" — bits of code that would allow China to monitor transmissions over the equipment. As Forbes writer Andy Greenberg pointed out, the most effective solution would be to test "for the backdoors and bugs that Congress believes Huawei and ZTE may have installed and apply those tests to all the networking equipment that comes through the door." ZTE even suggested that a third party conduct a "thorough review and analysis of software codes" and run "vulnerability scans and penetration tests" of their systems, similar to how the British government tests Huawei products. Yet the intelligence committee refused to even test the equipment as part of its investigation.

This is why that despite charges of "national security," the rhetoric of the Intelligence committee smacks of economic protectionism. While Huawei and ZTE have far closer ties to the Chinese government, U.S.-owned Cisco, the greatest likely benefactor from this report, manufactures many of its own parts in China. In fact, all major U.S. networking companies source from China and present many of the same "supply chain risks" the report warns about.

There is no doubt the installation of backdoors into communications equipment is a justifiable worry. They will not only facilitate privacy abuses and Chinese cyberattacks, but also give criminals an easier avenue of attack. Unfortunately, the United States is looking to the do same thing itself. FBI Director Mueller complained to Congress in September that Internet communications providers "are not required to build or maintain intercept capabilities" and asked Congress to pass a surveillance bill that would force telecommunications companies — plus services like Facebook, Google, and Skype — to install government-friendly backdoors in all its software.

As Wired‘s Kim Zetter explained, "In practice, this means that all carrier-grade networking equipment sold worldwide comes with built-in capabilities to wiretap citizens, no matter what country they live in. Computer security experts have long pointed out that such capability can be hijacked by others to intercept communications."

Former Commerce and State Department official James Lewis, now with the Center for Strategic and International Studies, argued on 60 Minutes that the real difference in Huwaei and ZTE’s case is China’s state control. In the United States, "companies are used to throwing their weight around, telling the government what to do," he said. "In China, a company is a Chia Pet. The state tells them what to do, and they do it."

Yet AT&T, Verizon, and Bell South — at the time the three largest telecom companies in the United States — showed all the spine of a Chia Pet and famously bowed to pressure in the aftermath of 9/11,when they handed over billions of phone and emails records as part of the National Security Administration’s warrantless wiretapping program. The companies were in such clear violation of federal law that Congress later handed the telecom companies full, retroactive immunity for assisting the government.

This is why the report’s final recommendation is its best one: transparency. More transparency from telecommunications companies, both in their equipment’s capabilities and their policies and procedures for interacting with governments, is vital in keeping citizens’ privacy, and in guaranteeing the safety of U.S. infrastructure. That principle should be applied to Chinese companies, American companies, and every company in between.